Installing a Third Party Certificate for WebVPN(SSL) on the ASA

In order to not get the annoying “Invalid certificate” errors in Internet Explorer we need to purchase and install a third party certificate for the ASA. Then we can associate the WebVPN with the certificate so we don’t get the warnings. Of course, you can do this through the ASDM, but what fun is that? CLI all the way, here we go.

Notes -Insert your relevant information between <>-Console prompts are show in green-Text in blueare variable names I made up, feel free to change them -Note sections are in italics and embedded directly within the code below -During the install/setup the CLI asks several questions. I note when they will appear by inserting a line beginning with ‘Question Prompt –‘ in between the lines of code. I also put the response you should enter after the line in bold.

Verify that your clock is set correctly To do this, issue the ‘show clock’ command at the CLI. If it isn’t configured correctly, define a NTP server (Which you should have done during initial config) and ensure your time zone is set correctly. I usually use us.pool.ntp.org as an NTP server. You can resolve it to an IP to get rid of the DNS lookup.

Generate the CSR ASA(config)# crypto key generate rsa label <Your domain name> modulus 2048 Notes: I use the domain name that I am going to use for the label name, it just makes it easier if everything is the same (FQDN, System FQDN, Label, etc….). An example would be ‘SSLVPN.test.com’. Additionally I use a 2048 bit modulus because GoDaddy (The third party CA I am using) will no longer accept the 1024 bit modulus. ASA(config)# crypto ca trustpoint <Your domain name> ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (US)>, St=<Your State>, L=<Your City> ASA(config-ca-trustpoint)# keypair <Your domain name>ASA(config-ca-trustpoint)# fqdn <Your domain name> ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# exit ASA(config)# crypto ca enroll <Your domain name>Question Prompt – Include the device serial number in the subject name? [yes/no]:NO Question Prompt – Display Certificate Request to terminal? [yes/no]:YES Notes: After answering YES the CLI will output the CSR. You need to copy the CSR so you can submit it to your Certificate Authority (GoDaddy in this case)Redisplay enrollment request? [yes/no]:NO

Submit your CSR to your Certificate Authority Again, I used GoDaddy because it seemed to be the cheapest. The certificate was less then $30 for the year. You purchase a certificate credit and then when you are ready to submit your CSR you go into their Certificate Management Portal under your login and submit the CSR. After submitting the request it took about 5 minutes for my certificate to be generated. You download the certificate file in Zip format. In the Zip file you should have two certificates. One is the certificate for the FQDN which you purchased and the other is the certificate for the CA. This is where it gets a little tricky. First you need to authenticate the CA by importing their certificate. Then you need to import your actual certificate. I’m not going to get into the details of how certificates work but if you don’t know how, you should find out. Google ‘Public Key encryption’. Alright, so my Zip file had two certificates in it.

gd_bundle.crt – The certificate for the CA <Domain name>.crt – The certificate for my domain

You’ll need to export both of the certificates to Base-64 encoded X.509. To do this in Windows double click the certificate. A certificate window with three tabs should appear as shown below.

Click on the second tab ‘Details’ and select the ‘Copy to File…” button

This will open the Certificate Export Wizard. Press NEXT

On the next screen select ‘Base-64 encoded X.509 (.CER)’ and press NEXT

On the following screen select a location to output the file to and press NEXT

Press FINISH on the summary screen. You should get a pop up window indicating that export was successful.

Now browse to where you chose to store the certificate, right click on it, select ‘Open With’, and choose WordPad. When you open it in WordPad you should get something similar to what is shown below.

Perform this certificate Export for your certificate as well as the CA’s certificate. During the rest of the walk through I will refer to these exports as “CA Certificate”(The CA’s certificate) and “CA Certificate Response”(The certificate for your domain).

Install the certificates on the ASA ASA(config)# crypto ca authenticate <Your domain name> Notes: You will now receive the prompt shown below. ”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself” Copy the CA Certificate and paste it into the CLI window. Then make sure you are on a new line, type to the word quit, and press enter.Question Prompt – Do you accept this certificate? [yes/no]:yesNotes: After you accept the certificate you should get a message indicating that the certificate import was successfulASA(config)# exit ASA(config)# crypto ca import <Your domain name> certificate Notes: You will now receive the prompt shown below. ”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself” Copy the CA Certificate Response and paste it into the CLI window. Then make sure you are on a new line, type to the word quit, and press enter. After you press enter you should get a message indicating that the certificate import was successful

Verify You can use the command ‘show crypto ca certificates’ to verify that your certificates imported successfully. Of course the other way to test would be to just connect to the outside IP on SSL and see if you still get that annoying warning.

16 thoughts on “Installing a Third Party Certificate for WebVPN(SSL) on the ASA”

Aw, this was a really quality post. In theory I’d like to write like this too – taking time and real effort to make a good article… but what can I say… I procrastinate alot and never seem to get something done.

I cant say that I have ever done active/standby for VPN configurations. Generally, we use the VPN load balancing feature for VPN ASAs. At any rate, since only one box is active and the backup is a duplicate config I would think you’d be ok with one certificate. The CSR isnt specific to the ASA, its specific to the certificate. If you have more than 2 ASAs, I’d cluster them and do VPN load balancing though. Try out the active/standby single cert config and post back if it works.

(config)# crypto ca enroll
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.